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Presenter: Paul Arnold 


Topic: Capacity and Capability Plan 


Reason for report: Earlier in the year we took an action to refresh our 
three-year Resource and Infrastructure Plan with a new Capacity and 
Capability Plan. This work was progressed and had been due to come to 
Board in May. However, this was paused at the last moment to allow the 
work to take full account of the impact of Covid as well as the emerging 
direction of our constitutional review and the Government’s Data 
Strategy. 


Purpose of report: This has now been done and the attached plan is 
now coming to Management Board for scrutiny and sign off once the 
Board is comfortable with the priorities and associated actions. From 
there the progress towards completion of the actions will be tracked and 
reported to Management Board every four months. 


Publication considerations: This report can be published internally 
and externally. 


Author: Paul Arnold 


List of Annexes: Annex A - Capacity and Capability Plan - 2020 to 
2024 
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Annex A 


Capacity and Capability Plan - 2020 to 2024 


Introduction and Context 


The ICO has made significant progress in meeting the challenge of a 
rapidly changing economic, political, technological and societal landscape. 
Through our ongoing transformation programme in response to the 
significant upgrade to our remit and powers in May 2018, we have 
focused on meeting our responsibilities to both the public and the 
organisations we regulate. 


We have done this by rapidly increasing the capacity and capability of the 
ICO and putting in place the infrastructure to continue to develop our 
resources, skills and operating model in response to an ever-evolving 
regulatory environment. But as we pass two years since the significant 
upgrade to our remit and powers, we must continue to accelerate our 
transformation plans to achieve our ultimate capacity and capability 
objectives. 


Importantly, as referenced in the ICO’s Management Agreement with 

DCMS since 2017, the ICO now has a statutory duty to have regard to the 
desirability of promoting economic growth when undertaking its functions. 
This ‘growth duty’ came into statutory effect on 29 March 2017 under the 


Deregulation Act 2015. 


We have since made good progress introducing a range of new services to 
support and promote privacy safeguards as a foundation to innovation 
and economic growth. There is however much more progress we want to 
make to develop this element of our remit in addition to meeting demand 
for our more long-standing statutory responsibilities. 


This capacity and capability plan therefore supports the ICO to continue to 
develop a broader, more diverse and balanced range of upstream and 
downstream regulatory services against the backdrop of the UK’s 
withdrawal from the EU and recovery from the early impact of Covid-19. 
It sits alongside and enables the delivery of our Information Rights 
Strategic Plan and describes how we will meet our future challenges. It 
sets out how we'll ensure we have the right culture, people, processes 
and infrastructure in place to deliver against our strategic objectives and 
clearly defined priorities. 


Our plan is focussed on what we want to achieve to deliver three key 
strategic goals. Integral to each goal are our values of ambition, service 
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focus and collaboration, ensuring that efficiency and high levels of 
productivity are fundamental to the success of the ICO with our progress 
clearly measured and reported. We will also continue to benchmark our 
work and look for new developments and good practice to ensure we 
continuously improve. Our capacity and capability goals are to have: 


e Infrastructure that enables us to operate effectively, responding to 
the views and needs of our customers and stakeholders and 
developments in the external environment. 

e Systems and processes that support the effective and efficient 
delivery of our services to our customers and stakeholders. 

e An organisational culture built around people with the right skills 
and experience, which meets the needs of our customers and 
stakeholders. 


The all-important actions to achieve these goals are set and reviewed for 

a rolling 18 month period to ensure our delivery will be iterative and agile, 
able to learn from our experience and continuously respond to a changing 
external environment and the needs of our customers and stakeholders. 


Goal # 1 To have the infrastructure that enables us to operate 
effectively, responding to the views and needs of our customers 
and stakeholders and developments in the external environment 


To achieve this, we have identified the following strategic priorities: 


Digital, Data and Technology - having the technical tools, skills 
and techniques to support the effective and efficient delivery of 
our services to our customers and stakeholders 


We will use the best technology has to offer to develop our systems to 
produce great outcomes for our customers. 


We will develop our data and knowledge services, to ensure our teams 
have access to the right insight and information, leveraging our own data 
and information to target resources effectively in response to threats, 
risks or opportunities as they emerge on the horizon. 


Actions: 
Digital and IT Strategy - Deploy an updated Digital and IT strategy and 


associated road map, including implementation of an updated operating 
model - July 2021. 
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Data Strategy - Develop and implement an ICO Data Strategy, including 
the introduction of a new Intelligence Database and improved BI and MI 
infrastructure to better present intelligence and information to inform 
decisions and actions - July 2021. 


ERP Systems - Implement new ERP system to recognise the end of the 
current contracts with HR and Finance systems - April 2022. 


Knowledge Management Infrastructure - Review our KM infrastructure 
and systems to ensure new guidance, policy and regulatory decisions are 
able to be developed and effectively disseminated and communicated to 
ICO staff, with a clear road map for future development of our knowledge 
services — March 2021. 


Resource deployment - able to rapidly flex and deploy our 
technical, physical and people resources to meet demand 


We will prioritise based on the needs of our customers, stakeholders and 
our regulatory priorities, having the right balance of multi-disciplinary and 
technical/functional specialist resources and being able to surge the right 
Capacity and capability onto emerging risks and opportunities which 
require action. 


We will develop our programme and project approach, resourcing our 
regulatory priorities and our transformation agenda and setting up a 
Programme Management Office to ensure we continue to manage these 
programmes effectively and with clear Board level accountability for our 
most strategic transformation programmes. 


Actions: 


Programme Management - Establish a Project Management Office and 
dedicated programme and project roles for both regulatory and corporate 
activities. Initial Programme Management capacity to be increased by 
January 2021 and PMO to be fully operational - July 2021. 


Surging Resources - Ensure that protocols and mechanisms are in place 
for deploying and surging resources to address priorities - January 2021. 


Capacity Building - Identify and further opportunities for alternative 
delivery models, including the option to utilise or provide shared services 
and processes by March 2021. This to also include establishing a 
proportionate mix between functionally organised resources and more 
centrally deployed multi-disciplinary capacity - July 2021. 
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Communications, Engagement and Insight - Gathering insight 
from our audiences and stakeholders, developing the best ways to 
reach and engage with them 


We will proactively communicate and engage with our internal and 
external customers and stakeholders, listening and sharing our 
knowledge, information and advice through a clear and consistent 
narrative and strategy. 


We will embed our internal communications strategy to support 
colleagues to deliver the organisation’s objectives, understand the 
connection between their job and the organisation’s vision and support 
productivity and performance. 


Actions: 


Stakeholder Engagement Methodology - Establish updated stakeholder 
engagement strategy and management model through Communications 
and Engagement Board - October 2020. 


Corporate Narrative - Deploy and fully operationalise corporate narrative 
complete with infrastructure to review and refresh quarterly - January 
2021. 


Stakeholder Perception - Establish a programme of stakeholder insight 
and perception research across the public, private sector, public sector, 
third sector, Government and consumers and use it to inform our 
regulatory priorities - April 2021. 


Digital Communications - Development of digital solutions to enable 
greater engagement with colleagues across the organisation through 
modern internal communications infrastructure - April 2021. 


Finances - having a funding model that is fit for purpose, 
sustainable and stable, allowing us to plan ahead and invest to 
deliver rolling three-year financial plans 


We will continue to work to ensure that we have a funding model that 
meets our needs, as well as exploring innovative ways to fund our work. 


We will continue to work with Government to ensure that our funding 
model supports the fair and proportionate funding of our services based 
on a risk-based approach aligned to our regulatory priorities. This 
potentially includes recovering costs where services benefit the few, 
rather than the many, and adopting a ‘polluter pays’ approach where 
appropriate. 
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We will make sure that our plans and budgets enable us to maximise the 
resources we put into proactive and ‘upstream’ work whilst delivering our 
statutory responsibilities. 


Actions: 


Funding Model - Develop proposals for cost recovery funding in all areas 
where this is appropriate - June 2021. 


Government Grant in Aid - Ensure that suitably long-term Government 
funding is in place for our regulatory responsibilities funded separately to 
the DP fee income - December 2020. 


Data Protection Fees - Make recommendations to DCMS on the fee tier 
system to ensure it is fair and proportionate - December 2020. 


Goal # 2 To have the systems and processes that support the 


effective and efficient delivery of our services to our customers 
and stakeholders 


To achieve this, we have identified the following strategic priorities: 


Policy Methodology - supporting the development of iterative 
regulatory products and guidance in a modern, open and 
collaborative manner which reduce burdens on business, provide 
increased regulatory certainty and reduce risk for those we 
regulate 


We will ensure strong citizen, consumer, business, staff and other 
stakeholder voices are present in our policy and guidance development. 
In doing so, we will understand the practical application of our policies 
and use an evidence-based approach to understand their impact on the 
economy, society and behaviour. 


We will focus on maintaining the capability to produce co-regulatory tools 
and products wherever possible and ensure we have the capacity to bring 
forward products in a timely fashion. 


We will be informed by a wide range of research, stakeholder 
contributions and insight, ensuring that the perspective and needs of our 
customers, stakeholders and colleagues are taken into consideration and 
that our approaches are as inclusive as possible. 


We will routinely assess the impact and effectiveness of our policies and 
guidance, sharing lessons learned and re-evaluating where necessary. We 
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will refine them as we learn, taking account of their practical application 
and their effectiveness. 


Actions: 


Horizon Scanning and Research - Establish our Domestic Regulatory 
Strategy Directorate and with it an agreed research programme which, 
when linked with our intelligence and insight activities, develops positions 
on emerging regulatory risks and opportunities on the horizon - April 
2021. 


Policy Development Methodology - Review and update our policy 
development methodology, so that it is recognised as supporting the 
development of iterative regulatory products and guidance in a modern, 
open and collaborative manner which reduce burdens on business, 
provide increased regulatory certainty and reduce risk for those we 
regulate - April 2021. 


Policy Profession - Ensure that the policy methodology is documented, 
agreed, and implemented with strong awareness and recognition across 
all members of the ICO’s Policy profession and incorporates clear 
principles to guide our stakeholder consultation - April 2021. 


Audience Awareness - Ensure that the policy methodology also supports 
the consistent development of guidance and advisory products which 
cover a full range of audiences, always including SMEs - April 2021. 


Economic Analysis - Introduce Economic Analysis function — April 2021. 


Impact Assessment - Introduce a clear framework for assessing impact of 
our guidance and upstream advisory services and the delivery of guidance 
and policy products - April 2021. 


Risk and Governance - Working consistently, effectively and 
transparently guided by a clear risk appetite guiding decisions and 
actions in line with our complementary priorities to protect 
information rights, promote innovation and growth as well as be 
an employer of choice 


We will have a constitution and governance structure that meets the 
needs of a modern, forward looking organisation and regulator. 


We will continue to embed a strong risk management framework and 
process based on a robust three lines of defence to identify and manage 
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risks and opportunities in line with a clearly articulated risk appetite. This 
framework takes account of the effectiveness of our proposed regulatory 
interventions, the economic and wider regulatory impact on those who 
have to apply them and how we ensure that we have a Suitably wide 
range of stakeholder input, with our views and approaches challenged and 
validated. 


We will ensure our decision making and accountability mechanisms, both 
internal and external, are clear and well communicated and, as our remit 
continues to develop, there is a clear structure to the way we work, how 
decisions are made and what is expected of leaders and managers. 


We will report the outcomes of our work, as well as what was done. This 
will include reporting against Key Performance Indicators to give our 
customers and stakeholders a clear understanding of our performance 
against our goals. 


Actions: 


Risk Appetite - Review the ICO’s corporate risk appetite and embed it into 
decision making processes - March 2021. 


Alignment - Align corporate and regulatory risk management practices, 
ensuring there is a clear and consistent approach to identifying, 
describing, scoring and mitigating risk - March 2021. 


Prioritisation - With particular reference to upstream regulatory activity, 
fully embed the three harms model to ensure proactive regulatory 
priorities are fully aligned with our supervisory priorities - February 2021. 


Decision Making - In addition to the existing scheme of delegation, 
publish a comprehensive organisational and decision-making chart for the 
ICO - January 2021. 


Business Planning - Review the corporate and business planning process, 
making any necessary improvements to the efficiency of the process or to 
bring about increased clarity in the plans produced - February 2021. 


Challenge Culture - Establish mechanisms to ensure a healthy challenge 
culture is promoted to underpin the reporting of progress and the 
recognition of performance and accomplishments, as well as ensuring 
there are mechanisms for wider input into decision making - February 
2021. 
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Benchmarking - On an annual basis, scan the horizon for developments in 
the wider UK regulatory landscape. This will ensure the ICO is continually 
developing as a key UK regulator - May 2021. 


Goal # 3 To have an organisational culture, built around people 
with the right skills and experience, which meets the needs of our 
customers and stakeholders 


To achieve this, we have identified the following strategic priorities: 


Our values, Equality, Diversity and Inclusion - driving cultural 
development based on the ICO values to ensure there is an 
inclusive sense of shared ownership for the success and direction 
of the ICO 


We will continue to deliver our People Strategy, and embed the values of 
the organisation in everything we do, continuously listening to and 
engaging all ICO colleagues as the basis of the strategic transformation 
programme for our organisational culture. 


We will take steps to maximise the diversity of views and thoughts which 
inform our decisions and actions as a regulator and employer. This means 
ensuring our workforce at all levels is as representative as possible of the 
customers and stakeholders we serve and represent. It also means 
adopting approaches which bring a diverse range of views, perspectives 
and challenge to our planning and decision making. 


We will ensure the views and insights of our customers, stakeholders and 
all ICO colleagues are a key part of the future of the ICO as a highly 
productive and high performing organisation. 


We will ensure that we maintain a healthy balance between the need for 
policies and rules to maintain high standards of legal compliance and 
providing our people with autonomy and control to work innovatively and 
creatively to further our goals and objectives. 


Actions: 


People Strategy - To ensure the completion of all remaining actions from 
our people strategy in line with agreed milestones - July 2021. 


Policies and Procedures - Ensure we have the policies and procedures, 


with associated training and monitoring, which define the leadership and 
compliance culture for the ICO - December 2020. 
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Accountability - Take stock of our coaching and other personal 
development programmes to ensure their focus on the development of 
our accountability culture, promoting the taking of ownership and follow 
up at all levels of the ICO -April 2021. 


Diversity - Agree appropriate targets for the diversity of the ICO 
workforce and develop action plans to achieve each - January 2021. 


Transparency and Inclusion - Implement protocols to ensure ICO 
strategies, plans, decisions and daily working life benefit from as diverse 
a range of thoughts and perspectives as possible. These to include, but 
not be limited to: external stakeholder groups; our recognised Trade 
Unions; staff forum; ED and I networks and organisation wide feedback 
loops - January 2021. 


Workforce and Organisation Development - growing the technical 
knowledge and expertise of our workforce to support our evolving 
regulatory remit and services 


We will maintain and deliver detailed medium and longer term workforce 
and organisation plans. These will include ensuring we have the necessary 
skills, in particular in relation to technology, data science, cyber, 
economic analysis and research to deliver our plans. We will also increase 
our capacity and capability to take on complex studies and investigations. 
The workforce and organisation plans will inform how we will: 


e Upskill and train staff, using a forward looking, ambitious 
programme of coaching and mentoring, as well as formal 
training, qualifications, apprenticeship programmes and 
professional development. 

e Use fair and innovative methods to recruit staff to meet our 
needs, including secondment and apprenticeship programmes 
and the way we continue to address any recruitment or 
retention risks. 


We will embed our Management and Leadership Development Programme 
to continue to ensure that ICO managers and leaders are capable and 
fully skilled to lead a dynamic and fast paced organisation. 


Actions: 


Workforce Planning - Refresh and validate our workforce planning 
methodology and plan in light of the priorities described in this Capacity 
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and Capability Plan - Draft to MB at its November 2020 meeting and 
finalised by February 2021. 


Recruitment Infrastructure - To support the ambition for our capacity and 
capability described in this plan, review and make any necessary changes 
to our recruitment infrastructure to underpin the recruitment to fill 
vacancies with high calibre and diverse candidates in the required 
numbers - January 2021. 


Job Evaluation - Implement a revised job evaluation scheme to ensure 
that technical specialist and people leadership responsibilities are 
recognised proportionately in line with ICO values when grading roles - 
April 2021. 


Key Roles - Ensure that key roles identified as a priority are filled to allow 
the ICO to meet demand and provide strategic leadership and resilience - 
January 2021. 


Productivity and Efficiency - Introduce a framework for targeting and 
measuring progress towards productivity and efficiency improvements 
which represent increasing value for money - April 2021. 


Priority Programmes - Maintain a framework for identifying and assigning 
resources to priority programmes of work quickly and effectively to 
ensure that key workstreams and programmes are resourced efficiently - 
December 2020. 


Government Spending Review - Ensure a plan is in place to respond to 
the outcome of the 2021-4 Spending Review, to develop the capacity and 
capability to deliver the agreed bids - December 2020. 


Leadership Development - Ensure all ICO Managers and Leaders have a 
leadership development plan in place, agreed with their line manager, 
which addresses any gaps in capability to operate in line with ICO 
leadership behaviours - October 2021. 


Recruiting Tech Capability - Complete development of clear framework for 
attracting and recruiting new technical capability to the ICO - January 
2021. 


Developing in house capability - Building on a proportionate skills audit, 
define and implement an ICO wide programme of training and 
development and ensure that all ICO roles include an appropriate ‘tech’ 
capability component - October 2021. 
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Service Excellence - understanding, committing to and delivering 
excellent service 


We will embed excellent customer service, both internally and externally, 
focussing on the reliability and responsiveness of our services and 
maintaining strong relationships with our customers and stakeholders. 


We will maintain strong insight and understanding of the business models 
of those industries and sectors which are striving to use personal 
information safely to innovate to support economic growth, those with 
practices which represent the greatest risk to privacy and those which 
rely on the use of personal data as a basis for criminal activity. 


We will continue to build our capacity to provide upstream proactive 
services and develop our capability to support innovators, SMEs and the 
innovative use of data in the public sector. These services will focus on 
enabling growth in the data economy and have a combination of quick 
response and in depth, specialist support for our differing customer 
needs. 


We will make sure that our teams have the ability and are supported to 
identify the most appropriate and proportionate regulatory intervention, 
whether that be to produce simple, proportionate and timely guidance, 

policies and upstream advice, or to take regulatory action where this is 

appropriate. 


We will understand the wider social and economic environment when 
considering our regulatory and corporate approach to issues and be able 
to evaluate risk, benefit and cost and take these into account in our day 
to day work. 


We will adopt a ‘share it once’ approach, where we look to share relevant 
information about our work internally and, where appropriate, externally 
as quickly, clearly and transparently as possible. 


We will make our services as accessible as possible, helping our 
customers, stakeholders and colleagues access the right services, 
knowledge and advice to help them to understand their rights, run their 
businesses and organisations and do their jobs. 


Actions: 
Insight - Develop a proportionate framework of customer satisfaction 


research to ensure that a rolling level of insight is maintained across our 
main areas of public service - April 2021. 
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Risk based and outcome focused - To continue to enhance and embed our 
Strategic Threat Assessment to see it more directly inform our service 
priorities for both up and downstream regulatory activity - October 2021. 


Impact Assessment - To complete the development of a comprehensive 
framework to support the measurement of the impact of our internal and 
external services - July 2021. 


Ease of Access - To review the interfaces between ICO customers and our 
services, identifying suitably innovative and engaging ways to meet the 
needs of customers - review to be complete by April 2021 with 
recommendations for developments fed into future plans. 


Accountability 


For each of the priorities in this plan we will produce, and regularly 
review, a series of targets and measurable actions. Progress will be 
reported to and overseen by our Management Board and published in our 
Annual Report to Parliament. 
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